Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Releases should not depend on insecure or untrusted code #855

Closed
JLLeitschuh opened this issue Feb 18, 2019 · 8 comments
Closed

Releases should not depend on insecure or untrusted code #855

JLLeitschuh opened this issue Feb 18, 2019 · 8 comments
Assignees
@donat
Labels
security was:implemented
Milestone
3.1.1

Comments

@JLLeitschuh
Copy link

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical

POC code exists already to maliciously compromise a JAR file inflight.
See:

MITM Attacks Increasingly Common:

See:

Source Locations:

Download of Eclipse SDK:

Eclipse SDK has no checksum verification:

Download of Gradle:
@donat
Copy link
Contributor

donat commented Mar 12, 2019

Thanks for reporting this. I'll try to fix this.

@donat donat self-assigned this Mar 12, 2019
@JLLeitschuh
Copy link
Author

Heads up, I plan to publish a public disclosure about this industry-wide vulnerability on June 10th, 2019.

@JLLeitschuh
Copy link
Author

Ping!

@donat
Copy link
Contributor

donat commented May 2, 2019

I'll take care of this before the deadline.

@JLLeitschuh
Copy link
Author

@donat This will also need a CVE issued. That can be done through @waynebeaton as the Eclipse Foundation is a CNA.

See this format as an example:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622

@donat donat added this to the 3.1.1 milestone May 28, 2019
@donat
Copy link
Contributor

donat commented May 28, 2019

I've implemented the fix for this issue. See the PR ☝️.
@JLLeitschuh I trust you handle the CVE report.

@JLLeitschuh
Copy link
Author

@donat You need to file for the CVE with @waynebeaton using the Eclipse bug tracker. Since the Eclipse organization is a CNA, the Eclipse security team does the reporting. You or some other contributor needs to be the one to ask @waynebeaton to do the filing.

See this format as an example:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622

@donat donat added the security label May 28, 2019
@donat donat changed the title [SECURITY] Releases are built/executed/released in the context of insecure/untrusted code Releases are built/executed/released in the context of insecure/untrusted code May 28, 2019
@donat
Copy link
Contributor

donat commented May 28, 2019

CVE request submitted: https://bugs.eclipse.org/bugs/show_bug.cgi?id=547734

@donat donat closed this as completed May 28, 2019
@donat donat changed the title Releases are built/executed/released in the context of insecure/untrusted code Releases should not depend on insecure or untrusted code Jul 1, 2019
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@donat donat

Labels
security was:implemented
Projects
None yet
Milestone
3.1.1
Development

No branches or pull requests
2 participants
@donat @JLLeitschuh